New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

malformed cpio file causes segfault #503

Closed
kwrobot opened this Issue Apr 11, 2015 · 4 comments

Comments

Projects
None yet
1 participant
@kwrobot

kwrobot commented Apr 11, 2015

Original issue 395 created by Google Code user hanno@hboeck.de on 2015-02-01T20:50:16.000Z:

The attached file will crash bsdcpio.

<b>What steps will reproduce the problem?</b>
1. bsdcpio -i &lt; crash.cpio
2. segfault

<b>What version are you using?</b>
tried both 3.1.2 and current git.

<b>On what operating system?</b>
Linux

<b>How did you build?  (cmake, configure, or pre-packaged binary)</b>
3.1.2 with configure, git with cmake

<b>What compiler or development environment (please include version)?</b>
gcc 4.9.2

<b>Please provide any additional information below.</b>

crash dump by valgrind:
==14051== Invalid read of size 8
==14051==    at 0x4C2ECB0: memcpy@@GLIBC_2.14 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==14051==    by 0x41AEAD: __archive_read_ahead (in /mnt/ram/libarchive/c/bin/bsdcpio)
==14051==    by 0x42FDE7: header_bin_le (in /mnt/ram/libarchive/c/bin/bsdcpio)
==14051==    by 0x430530: archive_read_format_cpio_read_header (in /mnt/ram/libarchive/c/bin/bsdcpio)
==14051==    by 0x418B98: _archive_read_next_header (in /mnt/ram/libarchive/c/bin/bsdcpio)
==14051==    by 0x40DFAE: main (in /mnt/ram/libarchive/c/bin/bsdcpio)
==14051==  Address 0xffffffff8954c260 is not stack'd, malloc'd or (recently) free'd

I will also attach full valgrind and address sanitizer output.

This issue was found with american fuzzy lop.

See attachment: crash.cpio.asan.txt
See attachment: crash.cpio.valgrind.txt
See attachment: crash.cpio

@kwrobot

This comment has been minimized.

Show comment
Hide comment
@kwrobot

kwrobot Apr 11, 2015

Comment #1 originally posted by kientzle on 2015-02-01T22:11:15.000Z:

This is exactly the same as Issue 394.

kwrobot commented Apr 11, 2015

Comment #1 originally posted by kientzle on 2015-02-01T22:11:15.000Z:

This is exactly the same as Issue 394.

@kwrobot

This comment has been minimized.

Show comment
Hide comment
@kwrobot

kwrobot Apr 11, 2015

Comment #2 originally posted by Google Code user hanno@hboeck.de on 2015-02-03T03:21:58.000Z:

ah, okay, I saw 394 but it talked about bsdtar, not bsdcpio, so I thought it must be a different issue.

I just checked current git and it hangs on the file. Is this the expected behaviour? (in bug 394 you mention that it just encodes a very large input file - so it may just do its job and try to decompress something big - GNU cpio also hangs)

kwrobot commented Apr 11, 2015

Comment #2 originally posted by Google Code user hanno@hboeck.de on 2015-02-03T03:21:58.000Z:

ah, okay, I saw 394 but it talked about bsdtar, not bsdcpio, so I thought it must be a different issue.

I just checked current git and it hangs on the file. Is this the expected behaviour? (in bug 394 you mention that it just encodes a very large input file - so it may just do its job and try to decompress something big - GNU cpio also hangs)
@kwrobot

This comment has been minimized.

Show comment
Hide comment
@kwrobot

kwrobot Apr 11, 2015

Comment #3 originally posted by Google Code user tim@kientzle.com on 2015-02-07T06:09:07.000Z:

I'm not seeing the hang here.  After applying the fix for bug 394, it seems to correctly fail with an error.

The only issue I do see:  The error message is empty.  I've just committed a fix for that.

If you're still seeing it with current git commit 24f5de6, please give me more details and I'll see if I can track it down.

Thank you!

kwrobot commented Apr 11, 2015

Comment #3 originally posted by Google Code user tim@kientzle.com on 2015-02-07T06:09:07.000Z:

I'm not seeing the hang here.  After applying the fix for bug 394, it seems to correctly fail with an error.

The only issue I do see:  The error message is empty.  I've just committed a fix for that.

If you're still seeing it with current git commit 24f5de6, please give me more details and I'll see if I can track it down.

Thank you!

@kwrobot

This comment has been minimized.

Show comment
Hide comment
@kwrobot

kwrobot Apr 11, 2015

Comment #4 originally posted by Google Code user hanno@hboeck.de on 2015-02-07T10:34:37.000Z:

With latest git it seems fine. Prints an error as expected and no hang.

kwrobot commented Apr 11, 2015

Comment #4 originally posted by Google Code user hanno@hboeck.de on 2015-02-07T10:34:37.000Z:

With latest git it seems fine. Prints an error as expected and no hang.

@kwrobot kwrobot closed this Apr 11, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment